Manufacturing Keeps Getting Hit While Everyone Watches AI Zero-Days
“The notion of a criminal ransomware group retaining lawyers fully versed in international data requirements is absurd — until you realize the ‘lawyer’ is an LLM. For criminal purposes, it doesn’t matter if the claim is true; it only matters if it sounds plausible. If there’s one thing LLMs are good at, it’s making a wide range of statements sound plausible.”

It’s still survey season, right before Black Hat, and GuidePoint’s GRIT team dropped their Q2 2026 Ransomware and Cyber Threat Insights Report. Yes, a half dozen “reports” were also burped out by LLMs from vendors you’ll never hear of (but have a budget for PR Newswire), but I know folks at GuidePoint and have given a talk or two at their conferences, and they’re nice people. Coincidentally, I just recorded an episode of “IT Horror Stories with Jack Smith” about a cardboard manufacturer breach, and the timing’s too perfect to ignore. While I was telling the story of how a golf buddy of my CEO (at the time) called my CEO to ask for help with a ransomware attack, GuidePoint was confirming that manufacturing remains the single most targeted industry vertical for the umpteenth quarter in a row. And they’re not the only ones pointing out how manufacturing’s getting wrecked regularly.
ZeroFox tracked 1,885 separate ransomware and data extortion incidents for Q2 2026 (yeah, another report before Black Hat), and their data shows manufacturing hitting roughly 20 percent of all R&DE incidents consistently since at least 2021. Verizon’s 2026 DBIR provides more context: 3,627 total incidents in the sector with 61 percent driven by ransomware. None of this is surprising anymore. What should worry leaders is the stagnation, because we’ve identified the top target for five years straight and the attack vectors haven’t fundamentally shifted. Vulnerability exploitation accounts for 38 percent of manufacturing breaches according to Verizon, while third-party connections factor into 61 percent of those compromises. The playbook to fix this exists, it’s just that manufacturers aren’t prioritizing it. I’m hoping this isn’t going to lead to what happened to banking, which exists in a self-imposed regulatory nightmare world created in response to persistent inaction.
But ransomware isn’t the problem – what gets stolen is the real problem in manufacturing. GRIT notes data extortion is displacing encryption-centric models because exfiltration is cheaper and quieter than deploying ransomware against well-backed-up systems. No kidding. Ransomware’s noisy – the point is to let the victim know they’ve been wrecked; data exfiltration is quiet and allows for a better negotiating position (see below).
In manufacturing, the data being siphoned off rarely looks like standard personally identifiable information. It’s not credit cards or health records – it’s none of the things that your AI-powered zero-trust firewall DLP thing (that your CFO is looking to defund) is going to have a regular expression for. Internal data appeared in 81 percent of manufacturing breaches in the Verizon report, and that means process sheets, formulations, supply chain contracts, tuning parameters, and all the PLM files that stubbornly resist data classification (which is often an operator issue). Copying a product design gives a competitor a cheap knockoff (hi there, China!), but stealing the manufacturing process lets them skip years of R&D and scale immediately.
The other part of the GuidePoint report covers artificial intelligence and I love that they went in a different direction. Media outlets are currently spending cycles hyping Mythos-style fears about AI generating zero-day exploits autonomously (which will help Anthropic’s eventual IPO), but GRIT found zero evidence of that trend taking hold in the wild. Instead, threat actors are using LLMs to hold their own at the negotiation table. Two case studies make this concrete:
- FulcrumSec reportedly ran an exfiltrated production database through an unidentified LLM to generate step-by-step instructions for linking user identities across complex schemas, then used that output to anchor a ransom demand based on evidence
- DragonForce went a different route, claiming to retain legal counsel to pressure victims regarding regulatory exposure, except the lawyer was an LLM
The goal of using AI for threat actors isn’t Hollywood stunt hacking; it’s professional polish in their communications.
Which changes ransomware negotiations a smidge. Historically, analysts could spot non-native English speakers during negotiations as a soft attribution marker, and language barriers created friction that gave defenders breathing room. LLMs erase that signal. During the podcast, we discussed how a ransomware negotiator managed the human element of the attack. Now the other side has automation to support the ransomware operator.
This means unsophisticated groups can now negotiate with the fluency of seasoned criminals and native English speakers, and GRIT warns that attribution confidence is dropping while negotiation dynamics are shifting towards the threat actor. Obviously, the translations aren’t perfect, but the gap between sophisticated and unsophisticated groups is shrinking in ways that make victim preparation critically more important.
Defenders keep missing the forest for the trees. This isn’t about AI and it’s not about ransomware – it’s about manufacturers hoping that they won’t get hit, and possibly about the lack of disincentives outside of higher insurance premiums. But you can’t build a security strategy around luck or hoping your adversaries make sloppy communications mistakes. Patch your known vulnerabilities. Have a good look at your third-party integrations. And understand that process data is a strategic asset worth protecting just as much as your customer lists. The threat isn’t coming. It’s already out there, somewhere, on your factory floor.